TRENDING

GAO report says EPA must keep improving IT security

GAO report says EPA must keep improving IT security

Sep 01, 2000

By Shruti Dat'

GCN Staff

In a follow-up to its review last winter of security at the Environmental Protection Agency, the General Accounting Office has advised the agency that its information security programs still need work.

'Our review found serious and pervasive problems that essentially rendered EPA's agencywide information security program ineffective,' the GAO concluded in the report, Information Security: Fundamental Weaknesses Place EPA Data and Operations at Risk.

A recent GAO report accused EPA of failing to follow risk management planning as recommended by OMB and NIST.

The report, released last month, updates a review by the congressional watchdog agency that was done at the behest of Rep. Thomas Bliley (R-Va.), House Commerce Committee chairman.

In the original review, GAO found deficiencies in EPA's password protection, access controls, incident detection and mitigation capabilities. The audit team, in fact, successfully penetrated the agency's firewall and took control of other perimeter defenses, gaining access to systems on EPA's internal network.

The agency has worked to reduce the exposure of its systems and data and to correct identified weaknesses, auditors found.

Its efforts include the establishment of a technical information security staff and a review of the agency's information protection policies.

'EPA's actions show that the agency is taking a comprehensive and systematic approach that should help ensure that its efforts are effective,' the report said. The agency must, however, intensify its efforts, GAO said.

EPA officials agree with this finding. 'Even though we have made many enhancements in our program since the first of the year, we recognize that the agency must continue to improve our security procedures,' noted Margaret Schneider, principal deputy assistant administrator, in a written response to the report.

Recently, George A. Bonina, director of EPA's information security staff, acknowledged that the agency has more work to do because advances in technology have surpassed EPA's data management and security programs [GCN, Aug. 7, Page 12]. But he denies that EPA was neglectful; it just did not act quickly enough.